Have you ever want to change a passphrase on a RSA private-key? With openssl the steps are easy
1: determine your encrypted key encryption by reading in the existing private-key and look at the top lines that shows the key type and encryption
2: Now re-read and apply encryption on the target key with the new name and passphrase
3: If you ever decide on removing the existing passphrase all together, just read in the existing private-key and write a new output
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Sunday, September 27, 2015
whats my RSA keysize
If you have a RSA key generate, you can use openssl to query the key-size. Great tip if you have a few key files sitting around and not sure which size the keys are.
e.g ( determining a RSA private-key-size )
note: if you have a passphrase set, you will need to supply it in order to read the priv-key
e.g ( determining a RSA pub-keysize )
Since the public key is not a "private" key grep on the modulus field. You don't need the private-key file in order to read a public keyfile.
note: use the -pubin for a public key
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
e.g ( determining a RSA private-key-size )
note: if you have a passphrase set, you will need to supply it in order to read the priv-key
e.g ( determining a RSA pub-keysize )
Since the public key is not a "private" key grep on the modulus field. You don't need the private-key file in order to read a public keyfile.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Thursday, September 17, 2015
Fortigate Securing for remote access ( untrust networks )
If you remember the use of SSLVPN for remote management in this blog;
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
And running ssh management on a not-so-well known port;
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
Will the final wrap, is for clients that need to allow pings access. Within fortiOS you allow ssh ping http https etc... via the set allowaccess command.
Than allow the "admin" accounts access via the trusthost for ipv4 or ipv6
e.g ( allow access)
So if you need to allow ping access, how do we do this securely. Simple, if you need to deploy the wildcards "any", you can define a user with no access and then apply that user with a trusthost set for 0.0.0.0/0
e.g ( NOACCES user on my fgt & accprofile )
In the above we have an account profile named "NOACCESS" for the users. A combination of two-factor authentication and with the token sent to a null email-account will ensure that NOBODY could brute-force the account via the admin account that has a trusthost of ANY for ipv4 or ipv6 networks.
And if he/she could access the unit ( the hacker ) , the account profile will ensure they have ZERO access.
e.g ( webgui and ssh.....both are blank with no permissions )
You still need to analyze any risk, and if you need ssh/webgui open. And if yes to who, but restricting access via admin and accounts can easily be controlled and by deploying 2-factor authentication, you can almost with 120% surety ensure that the account would not be hacked.
two-factor authentication should still deploy a strong based password, I like to use a 20+ character password and a not-common "administrator" name.
With the sslvpn management, you can stack various authentication requirements to ensure strong security protocols for accessing the firewalls from remote networks that are deemed un-trusted.
Running https and ssh services on not-to-well-known ports, will eliminate like 99% of the script kiddies which is typically of obnoxious & persistent group.
Ensuring stroing cipher support for ssh/https and eliminating "SSLv3" from WebGUI managements will ensure you can go to sleep without any worries.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html
And running ssh management on a not-so-well known port;
http://socpuppet.blogspot.com/2014/12/hardening-your-unix-ssh-server-access.html
Will the final wrap, is for clients that need to allow pings access. Within fortiOS you allow ssh ping http https etc... via the set allowaccess command.
Than allow the "admin" accounts access via the trusthost for ipv4 or ipv6
e.g ( allow access)
So if you need to allow ping access, how do we do this securely. Simple, if you need to deploy the wildcards "any", you can define a user with no access and then apply that user with a trusthost set for 0.0.0.0/0
e.g ( NOACCES user on my fgt & accprofile )
In the above we have an account profile named "NOACCESS" for the users. A combination of two-factor authentication and with the token sent to a null email-account will ensure that NOBODY could brute-force the account via the admin account that has a trusthost of ANY for ipv4 or ipv6 networks.
And if he/she could access the unit ( the hacker ) , the account profile will ensure they have ZERO access.
e.g ( webgui and ssh.....both are blank with no permissions )
two-factor authentication should still deploy a strong based password, I like to use a 20+ character password and a not-common "administrator" name.
With the sslvpn management, you can stack various authentication requirements to ensure strong security protocols for accessing the firewalls from remote networks that are deemed un-trusted.
Running https and ssh services on not-to-well-known ports, will eliminate like 99% of the script kiddies which is typically of obnoxious & persistent group.
Ensuring stroing cipher support for ssh/https and eliminating "SSLv3" from WebGUI managements will ensure you can go to sleep without any worries.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Wednesday, September 16, 2015
ipv6 stratum clock servers ( options )
To build a ntp clocker server, you can use opensource linux and the ntpd pkg with a time-sync card like meinberg. Install the card and support drivers will give you a quick and simple to managed time-server.
https://www.meinbergglobal.com/
Alternative you can use a EndrunTechnologies & it's ipv6 server, these plug and play devices are simple and reliable. They are used in most major carriers. Unlike symmetricom they have been supporting ipv6 ntp-clients for some considerable time.
http://www.endruntechnologies.com
With either solution, your ipv6 clock needs will be reliable. The endruns are gret ipv6 servers that are affordable and has a simple management. They offer CDMA and/or GPS and with external clock inputs.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
https://www.meinbergglobal.com/
Alternative you can use a EndrunTechnologies & it's ipv6 server, these plug and play devices are simple and reliable. They are used in most major carriers. Unlike symmetricom they have been supporting ipv6 ntp-clients for some considerable time.
http://www.endruntechnologies.com
With either solution, your ipv6 clock needs will be reliable. The endruns are gret ipv6 servers that are affordable and has a simple management. They offer CDMA and/or GPS and with external clock inputs.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
The NTP server for ipv6 v5.2.3 FortiOS
In a pinch you can use a fortigate as a local LAN ntp-server for ipv4 or ipv6 clients. It's not ideal imho due that excess clients can create various issues. Also you have no reliable means for filtering who can query your fortigate firewall as a ntp_client without deploying a local-in firewall policy.
Here in this blog, we've have a basic ntp-configuration with the interface wifi set for answering ntp queries.
To debug ntp, you can use fortinet wonderful diagnostic application function;
On my mac, I'm used the ntpq or ntpdc query application for validate of sync.
ntptrace did not work btw
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Here in this blog, we've have a basic ntp-configuration with the interface wifi set for answering ntp queries.
To debug ntp, you can use fortinet wonderful diagnostic application function;
On my mac, I'm used the ntpq or ntpdc query application for validate of sync.
ntptrace did not work btw
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Tuesday, September 15, 2015
config session ( HOWTO uses )
In the cisco ASA, we have the means to config term but did you know you have a config session option?
Almost every uses the config terminal in a day to day operations, but the config session has it's own benefits.
1: Here's a few of the highlights;
> it allows you to deploy configuration at a later time
( e.g your working on a large ACL and need to take a cafe break or go out to lunch )
> it provides a delay time to review any configurations before committal
( great if you have OPS group that QA fwpolicies changes)
> configuration are manually commit by the user
( by the creator or another... great if you a administrator and senior lead you commits the changes after review and approval )
> you can abort or revert any change in the configuration process
( e.g your configuration a new ACL for specific filtering event and later you need to abort the configuration )
> !!!!!WARNING configuration sessions don't survive reboots/power lost or synced to any slaves WARNING!!!!
With the config session is easy to deploy. Just craft a name for the session. The name can be any characters and with a limit in the length of the session_name to 32 characters;
in most MSSP we have used case/tickets# or change_control_numbers# in our names and that seems to works out great
And you can only have a max of 3 config sessions active at any one time and the ASA will deliver a warning if you try to exceed that;
The session name can also start with !#@ but can not contain any spaces
The uses of the config session is a must in a SOC/MSSP arena where you have numerous changes underway IMHO.
Here's a dialog of a session name TEXT using the session command for a access-list creation
config session test
access-list KENFELIX remark BLOG
access-list KENFELIX line 10 permit tcp host 1.1.1.1 host 1.1.1.2 eq 22
notice how the changes are shown as un-committed, when executing the show configure session command ?
Now we can, at this point either commit or abort the changes after re-execution of our config session <session name >. If we decide on starting a new session we will be warn of the pending session.
Also the ACL list is not part of the running or saved startup configuration since it was never committed.
If we so happen to abort the session, all changes would be eliminated.
up to this point nothing has been changed
If we should issue a commit noconform the changes would be pushed into the running-config & the session will be completed and terminated.
It you find any sessions that needs to be eliminate, please use the clear configuration session command
e.g
show configure session
configure session !123456789012345688901234567890 (un-committed)
clear configuration session !12345678901234568890123456$
It's advisable to review all pending config sessions before starting a new sessions
I've worked with a few SOC groups that fought over configurations and you will find that 2 operators configuring the same item & causing confusion can be avoid.
Good luck
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Almost every uses the config terminal in a day to day operations, but the config session has it's own benefits.
1: Here's a few of the highlights;
> it allows you to deploy configuration at a later time
( e.g your working on a large ACL and need to take a cafe break or go out to lunch )
> it provides a delay time to review any configurations before committal
( great if you have OPS group that QA fwpolicies changes)
> configuration are manually commit by the user
( by the creator or another... great if you a administrator and senior lead you commits the changes after review and approval )
> you can abort or revert any change in the configuration process
( e.g your configuration a new ACL for specific filtering event and later you need to abort the configuration )
> !!!!!WARNING configuration sessions don't survive reboots/power lost or synced to any slaves WARNING!!!!
With the config session is easy to deploy. Just craft a name for the session. The name can be any characters and with a limit in the length of the session_name to 32 characters;
in most MSSP we have used case/tickets# or change_control_numbers# in our names and that seems to works out great
And you can only have a max of 3 config sessions active at any one time and the ASA will deliver a warning if you try to exceed that;
The session name can also start with !#@ but can not contain any spaces
The uses of the config session is a must in a SOC/MSSP arena where you have numerous changes underway IMHO.
Here's a dialog of a session name TEXT using the session command for a access-list creation
config session test
access-list KENFELIX remark BLOG
access-list KENFELIX line 10 permit tcp host 1.1.1.1 host 1.1.1.2 eq 22
notice how the changes are shown as un-committed, when executing the show configure session command ?
Now we can, at this point either commit or abort the changes after re-execution of our config session <session name >. If we decide on starting a new session we will be warn of the pending session.
Also the ACL list is not part of the running or saved startup configuration since it was never committed.
If we so happen to abort the session, all changes would be eliminated.
up to this point nothing has been changed
If we should issue a commit noconform the changes would be pushed into the running-config & the session will be completed and terminated.
It you find any sessions that needs to be eliminate, please use the clear configuration session command
e.g
show configure session
configure session !123456789012345688901234567890 (un-committed)
clear configuration session !12345678901234568890123456$
It's advisable to review all pending config sessions before starting a new sessions
I've worked with a few SOC groups that fought over configurations and you will find that 2 operators configuring the same item & causing confusion can be avoid.
Good luck
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
play around with ipv6 NTP services
We have a symmetricon TP5500 on our network. This GPS clock receiver is used for ipv4 clocking. Surprise that we have no ipv6 clock support.
So a ASR9K was used to sync to our ipv4 clock source, and I configured a interface with a ipv6 address for testing.
Tue Sep 15 7:10:06.499 CST
interface GigabitEthernet0/0/0/1
description SOCPUPS_ASR9K_TEST_LAB-ipv6
bandwidth 1500
mtu 1514
ipv6 address 2001:db8:199::1/64
ipv6 enable
speed 1000
shutdown
load-interval 30
transceiver permit pid all
!
To control the interface and ipv6 ntp-services you can use the following commands.
ntp
interface <interFaceName>
disable
Better yet, a simple clock access-group for the peers that you want and applied for both ipv4 & ipv6 would work also.
e.g
ntp
max-associations 100
server 191.21.3.6 source Loopback0
access-group ipv4 query-only NTP_CLIENT_ACL
access-group ipv6 query-only DENY_ACL
update-calendar
log-internal-sync
!
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
So a ASR9K was used to sync to our ipv4 clock source, and I configured a interface with a ipv6 address for testing.
Tue Sep 15 7:10:06.499 CST
interface GigabitEthernet0/0/0/1
description SOCPUPS_ASR9K_TEST_LAB-ipv6
bandwidth 1500
mtu 1514
ipv6 address 2001:db8:199::1/64
ipv6 enable
speed 1000
shutdown
load-interval 30
transceiver permit pid all
!
To control the interface and ipv6 ntp-services you can use the following commands.
ntp
interface <interFaceName>
disable
Better yet, a simple clock access-group for the peers that you want and applied for both ipv4 & ipv6 would work also.
e.g
ntp
max-associations 100
server 191.21.3.6 source Loopback0
access-group ipv4 query-only NTP_CLIENT_ACL
access-group ipv6 query-only DENY_ACL
update-calendar
log-internal-sync
!
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Forticlient Woes MACOSX
I ran into a annoying problem on my mac airbook & with the Forticlient. The client will not delete ipsec-vpn entries. This was done using both the lock icon unlock or locked and the entries will flat out not delete.
Now the next problem, the backup fails. It shows it has completed, but we have no backup file found.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Now the next problem, the backup fails. It shows it has completed, but we have no backup file found.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
ASA 9.5.1 ASA5558-X
Will I couldn't wait, we finally pushed the ASA new software 9.5.1 to one member of a cluster in multi-context mode. The upgrade went smooth.
And now we have one 5558-X on 9.5.1.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
And now we have one 5558-X on 9.5.1.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Monday, September 14, 2015
Various FortiOS interfaces you should know of
Here's a few virtual interface that you will find in the fortigate series of firewall. They have various purposes but outside of the ssl.root, they are not really used for user traffic and nor can you define these in any static routes or firewall-policies
( interfaces virtual )
port_ha = "used primarily for ha sync messages "
havdlink0 = " I have no clue ;) "
eth0 = used for IPS related activities ( I believe it routes interfaces to the ips engine )
root = "interface loopback similar to lo in unix"
ssl.root = "used for sslvpn access"
carries sslvpn traffic from sslvpn end users , you can define this in fw-polciies,static routes, and even use it in management applications uses ssh , https, pings, etc......
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
( interfaces virtual )
port_ha = "used primarily for ha sync messages "
havdlink0 = " I have no clue ;) "
eth0 = used for IPS related activities ( I believe it routes interfaces to the ips engine )
root = "interface loopback similar to lo in unix"
ssl.root = "used for sslvpn access"
carries sslvpn traffic from sslvpn end users , you can define this in fw-polciies,static routes, and even use it in management applications uses ssh , https, pings, etc......
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
vdom limits and why?
With the fortigates, you have the means for deploying vdom resources limits. This is a must in a multi-tenant and where you have concerns for resources exhaustion.
If you have concern over one tenant abusing the resources and within that vdom, you can set limits for the resource available such as
examples
It best to learn the max values for your model and the installed fortiOS. The following link shows various max values for FortiOS.
http://docs.fortinet.com/d/fortigate-maximum-values
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
If you have concern over one tenant abusing the resources and within that vdom, you can set limits for the resource available such as
- firewall address
- firewall policies
- local users
- vpn-tunnels
- etc...
examples
It best to learn the max values for your model and the installed fortiOS. The following link shows various max values for FortiOS.
http://docs.fortinet.com/d/fortigate-maximum-values
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Sunday, September 13, 2015
GRE tunnels fortigate
In this example, I will show you just how simple it is for building a GRE tunnel. In this case, I have 2 vdoms ( root and custA ). We will source the GRE tunnels using the vdom-interlinks between the 2.
With Fortinet method, you define the GRE tunnel under config system gre-tunnel and then you can modify the parameters of this interface under the
config system interface.
Now here's the cfgs.
And a simple ping across the output interface and capture.
I've toggle the data pattern with 0101 using the execute ping-options
Take away points;
1: GRE has overhead so the 1500bytes mtu will not fit over this link
2: treat the actual GRE interface like a point 2 point link ( no arp )
3: ensure that the GRE end-points are reachable
4: you can enable any allowaccess methods such as ping ssh https http
5: be aware of any trusthosts settings
6: no firewall-policy is needed for packets source from the firewall for GRE
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
With Fortinet method, you define the GRE tunnel under config system gre-tunnel and then you can modify the parameters of this interface under the
config system interface.
Now here's the cfgs.
And a simple ping across the output interface and capture.
I've toggle the data pattern with 0101 using the execute ping-options
Take away points;
1: GRE has overhead so the 1500bytes mtu will not fit over this link
2: treat the actual GRE interface like a point 2 point link ( no arp )
3: ensure that the GRE end-points are reachable
4: you can enable any allowaccess methods such as ping ssh https http
5: be aware of any trusthosts settings
6: no firewall-policy is needed for packets source from the firewall for GRE
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \